semodule: Failed!

Dominick Grift domg472 at gmail.com
Tue Nov 10 19:44:55 UTC 2009 

On Tue, 2009-11-10 at 11:17 -0800, John Oliver wrote:
> On Tue, Nov 10, 2009 at 02:51:49PM +0100, Dominick Grift wrote:
> > On Mon, 2009-11-09 at 15:27 -0800, John Oliver wrote:
> > > [root at mda-services4 ~]# grep nagios /var/log/audit/audit.log |
> > > audit2allow
> > > 
> > > 
> > > #============= nagios_t ==============
> > > allow nagios_t var_t:dir read;
> > > [root at mda-services4 ~]# grep nagios /var/log/audit/audit.log |
> > > audit2allow -M nagios
> > > ******************** IMPORTANT ***********************
> > > To make this policy package active, execute:
> > > 
> > > semodule -i nagios.pp
> > > 
> > > [root at mda-services4 ~]# semodule -i nagios.pp
> > > libsepol.print_missing_requirements: nagios's global requirements were
> > > not met: type/attribute nagios_t
> > > libsemanage.semanage_link_sandbox: Link packages failed
> > > semodule:  Failed!
> > > 
> > > 
> > > 
> > > What on Earth does that mean???
> > > 
> > It means you (probably) did something that is not so smart:
> > 
> > My guess is that you have overwritten the distributed nagios module.
> 
> Ahh!
> 
> Actually, the distributed module wasn't installed at all, as nagios was
> installed after the fact.  So, I removed mine and added the distributed
> one, and nagios will start.  However, there's still at least one rule
> missing from the distributed module (and yes, I updated the selinux
> related RPMs):
> 
> type=AVC msg=audit(1257880340.235:135261): avc:  denied  { read write }
> for  pid=15599 comm="ping"
> path="/var/nagios/spool/checkresults/checkemlez9" dev=dm-0 ino=196622
> scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_t:s0
> tclass=file
> [root at mda-services4 ~]# tail -50 /var/log/audit/audit.log | grep nagios
> | audit2allow
> 
> 
> #============= ping_t ==============
> allow ping_t var_t:file { read write };
> 
> 
> libselinux-1.33.4-5.5.el5
> libselinux-utils-1.33.4-5.5.el5
> selinux-policy-2.4.6-255.el5_4.1
> libselinux-python-1.33.4-5.5.el5
> selinux-policy-targeted-2.4.6-255.el5_4.1
> 
Yes i bet the nagios policy is full of bugs.

A quick workaround to solve this issue is to label /var/nagios/spool/
type nagios_spool_t and then use audit2allow to allow ping rw
nagios_spool_t files:

echo "policy_module(mynagiospatch1, 0.0.1)" > mynagiospatch1.te
echo "require { type nagios_spool_t, ping_t; }" >> mynagiospatch1.te
echo "allow ping_t nagios_spool_t:file rw_file_perms;" >>
mynagiospatch1.te
echo "/var/nagios/spool(/.*)?
gen_context(system_u:object_r:nagios_spool_t, s0)" >> mynagiospatch1.te
make -f /usr/share/selinux/devel/Makefile mynagiospatch1.pp
semodule -i mynagiospatch1.pp
restorecon -R -v /var/nagios/spool

Note that this is a ugly workaround and it should be deinstalled as soon
as a solution is implemented in fedora policy (please report a bug)

My guess is that after this you will probably get more denials.

hth

More information about the fedora-selinux-list mailing list